Enterprise computing environments employ increasing numbers of computer systems, network systems, and storage systems to satisfy growing computational and storage capacity requirements. A given computing environment typically hosts multiple applications, each requiring customization and certain types of isolation from other applications. To accommodate this customization and isolation, the systems implement a permissions regime that requires each user to be granted a specific permission to perform a specific corresponding action. For example, a computer system may require a user to have permission to execute programs, and a storage system may require a user to have permission to access a specific storage volume or a certain portion of the storage volume, such as a user directory. The storage system may also specifically require read, write, and execute permission for related operations within the storage volume.
As typical computing environments grow to comprise thousands of systems, managing detailed permissions associated with each system within the computing environment grows increasingly complex and challenging. Administrators are faced with a growing inventory of systems and increasing complexity required to manage each system. A staff of multiple users is typically employed to manage this growing complexity. One or more of the users may be associated with a predefined “role” that defines specific permissions that enable a user to perform related actions. Being associated with the predefined role has the effect of granting a user permission to perform their assigned administrative tasks within the computing environment.
Virtualized computing environments provide tremendous efficiency and flexibility to systems operators by enabling the computing, storage, and networking resources within the computing environment to be deployed as needed to accommodate specific applications or specific capacity requirements. For example, multiple virtual machines (VMs) may be created and operated on physical computer systems based on demand for new computation resources. Similarly, virtual storage may be allocated and assigned to specified applications as needed. Corresponding permissions for each virtualization management task are conventionally required. For example, permission is typically required to create a new VM, turn on or off a VM, allocate virtual storage, associate storage with a VM, and so forth. While virtualized computing and storage increases efficiency, virtualization also increases administrative complexity by introducing yet more different permissions.
One significant administrative challenge in enterprise computing environments is managing a large and growing collection of different permissions required to perform a growing set of administrative tasks. To properly grant a sufficient set of permissions to a particular role, an administrator typically adds incremental permissions to the role using an iterative, ad hoc process. This process involves the user testing the role to determine whether all necessary permissions have been granted for each administrative task, and asking the administrator for additional permissions when errors are encountered. Because no additional permissions should be granted to a role beyond those absolutely necessary to perform specific administrative tasks, this process typically involves incrementally finding and adding permissions to the role until a user is able to perform all administrative tasks using the role. This process is time consuming and inefficient. Therefore, what is needed in the art is a more efficient technique for determining which permissions should be associated with a given role in a computation environment.